Types of XSS attacks:
- Sorted(persistent) XSS-Injection of malicious scripts into a vulnerable application.
- Reflected XSS-Reflects the malicious code to a link in the webpage, which is triggered once the user clicks the link.
- Escaping user input:
It is to ensure the data safety before being presented to the user. This is achieved by restricting interpretation of the key characters in a malicious way by a web page.
- Input validation:
This ensures prevention of XSS in forms by restricting a user to add special characters to the fields. It helps in rendering the right data, thus reducing chances of malicious data harming the site, database and the users.
Blacklisting prevents certain bad characters from being entered and whitelisting allows only good characters to be entered, significantly reducing XSS attacks.
- Sanitizing user input:
This is a defense technique that is suitable for sites that allow HTML markup.It works by removing the potentially harmful markup, converting the unacceptable input of the user to an acceptable format, thus making the data safe for the users.
The best way to eliminate XSS is to use various methods together like, code review, automated static testing during development and dynamic testing and secure coding practices.